Microsoft Windows IGMP v3 DoS Vulnerability

juniper在他们的公告里给了漏洞细节，前面那两个分别是Windows、Linux版的源代码，我下面这个附件是俄俄国人给的PoC，没有源码，Windows版EXE文件。

漏洞是2006-02-15左右公开的，虽然很多安全小组在漏洞公开当天就写出了PoC，但一直没有人公开扩散。直到俄国人的PoC于3.19左右公开，后面那两个源代码就再晚一些。

这个漏洞是可以跨WAN进行的，但由于以前一些事件之后，各级路由在过滤IGMP报文，使得跨WAN进行的概率极大地降低，不再像当年Q238329所修补的"IGMP碎片包攻击"一样盛行。但在LAN内成片地捣乱还是不成问题的。

喜欢抓包分析的兄弟可以自己抓包后对照juniper的描述加强理解。也可以尝试着自己写一个过滤规则抓取这种攻击。当然，由于该攻击的变种实在太多，靠协议分析软件本身很难抓取所有此类攻击，因此我前面说的只是指针对这三个PoC设计过滤规则。

http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html

Description:
Microsoft Windows operating systems use Transmission Control Protocol/Internet Protocol (TCP/IP) as the standard protocol for transmitting data between hosts over a network. The Internet Group Management Protocol (IGMP) is a TCP/IP communications protocol for managing IP multicast group memberships, and is used by IP hosts and multicast routers to establish these group memberships. Four versions of IGMP exist, with each version defined in RFC 988, RFC 1112, RFC 2236, and RFC 3376 respectively.

A denial of service vulnerability exists in the IGMP version 3 implementation in Microsoft Windows XP and Server 2003 operating systems. This vulnerability is due to a flaw when handling fixed length IP Header Options while processing IGMP version 3 Membership Query messages. If IP options exist in the IP header of an IGMP version 3 Membership Query message, the tcpip.sys driver will attempt to locate the Router Alert Option by going through the list of supplied options and adding the previous option's length field value to the base index. If a 1-byte option is encountered, and is followed by an End of Option, then the End of Option option code will be interpreted as the length of the option field of the option being examined, and is added to the base index in order to move on to the next option. As a result, the same option is analyzed in subsequent loop iterations causing an infinite loop. Since the TCP/IP stack driver code runs in the kernel context, the CPU cannot be used for other tasks, therefore, a denial of service condition occurs. In this case, the target host must be restarted to resume functionality.

A remote, unauthenticated attacker could cause a system-wide denial of service by sending a crafted IGMP version 3 message to a vulnerable host. The vulnerability is exploited upon processing of the massage.

Affected Products:
Microsoft Windows XP
Microsoft Windows 2003 Server

[[i] 本帖最后由 scz 于 2006-4-4 20:32 编辑 [/i]]